Customize your Duo experience by changing global settings in the Duo Admin Panel.
To access the Admin Panel, navigate to Duo Admin Panel , enter your administrator account email address and password, and click Log In. After your login is accepted, you then must authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication See Managing Duo Administrators for instructions.
The browser used to access the Admin Panel must support TLS 1.2, which most modern browsers do by default. If you have issues accessing the site, please update your browser or check your browser’s SSL implementation here: https://www.ssllabs.com.
Administrators may use the Settings page in the Duo Admin Panel to customize account branding and second factor features. To access these features, log in to the Duo Admin Panel and click Settings on the left.
Once on the "Settings" page, use the left side navigation to access different sections on the page. Be sure to click the Save Changes button at the top of the page after updating any settings.
Role required: Owner or Administrator (Billing role may not access the Settings page, other roles may view but not modify settings).
At the top of the Settings page you can change your Account name, Country/region, Language, Preferred timezone, or Logo. The Country/region and Preferred timezone selections apply to most dates and timestamps in the Duo Admin Panel.
Changing the Language setting from English to French or German causes end-user interactions with Duo's service to use the chosen language. This includes the browser-based Duo Prompt, Duo Mobile activation and SMS passcode text messages, and phone call authentication. This setting is global; users experience the selected language in the authentication prompt no matter their actual location.
The Account Name and Logo specified here will be displayed in your Duo Admin Panel, and seen by your users during enrollment and authentication via browser, as well as in the Duo Mobile app. The logo image must be in PNG format and not exceed 500 by 500 pixels and 200 KB. We recommend a 304 by 304 pixel logo image with a transparent background for the best results.
As an example, if you upload a company logo and change the account name to "Acme Corp." like so:
The account appears in Duo Mobile as follows:
The company logo you update here is also shown in the Duo Prompt.
The Duo authentication prompt displays the text "Powered by Duo Security" by default. To remove this statement from your authentication prompt, clear the Duo branding General settings option.
In the "Phone Calls" section of the Settings page you can customize your users' experience of callback-based second-factor authentication. Set the "Outgoing caller ID" so that automated calls from Duo appear to come from a specific number within your organization (such as main reception or tech support).
Duo's telephony provider partners recognize Duo's callback numbers as legitimate. Be aware that customizing this number from the Duo defaults may cause telephony providers to flag your number as fraudulent and result in failed user authentications.
The default setting allows users to press any key to approve an authentication request. You can customize which keys may be used for authentication approval or reporting fraudulent requests in the "Phone callback keys" section.
In the "SMS Passcodes" section of the Settings page, admins can customize the message sent to users with SMS passcodes, as well as the number of passcodes sent in each batch (up to 10). Sending multiple passcodes in one SMS message is cost-effective for both users and organizations. For additional security, SMS passcodes can be set to expire after a set time. A new batch can be automatically sent after the last passcode is used, so users are never without an authentication passcode.
These settings do not affect passcodes used by Duo administrators to log into the Admin Panel.
In the "Lockout and Fraud" section of this page, you can adjust the number of consecutive failed authentication attempts allowed before the user's account is locked out to prevent brute force attacks. The user lockout counter increments after each failed authentication attempt (such as push timeout or incorrect passcode entered). The default lockout threshold is ten failed attempts.
If "Auto-lockout expiration" is enabled, a locked-out Duo user is automatically moved back to "Active" status after the specified amount of time. Otherwise, locked-out users may not log in until you manually change that user's status from "Locked Out" to "Active" or "Bypass".
Log in to the Duo Admin Panel and click Users in the left sidebar.
Select a user by clicking their username. You will see the user's current status in the "Status" section of the user properties page:
Re-enable the user by selecting the desired status, then scroll down and click the Save Changes button.
You can also specify who to email when a lockout is triggered with the "Alert email" setting. Notify all admins sends an email to all Duo administrators at each user lockout. Use the Notify a specific email address field to limit which Duo administrators receive lockout notifications or to specify a distribution list. Lockout events trigger no emails with the Do not notify option enabled.
Enabling the "Anomaly Detection" setting provides enhanced protection from fraudulent authentication requests for Duo Mobile users. Check the box next to Block anomalous Duo Push attempts to activate this option. Anomaly detection prevents Duo Mobile from receiving multiple push requests per user within a short period of time. Users will need to wait one minute before requesting another Duo Push. Authentication Log entries alert administrators to the behavior. Customers who have created automation leveraging two-factor authentication should add delays to their process to avoid triggering anomaly detection.
These settings do not apply to Duo administrator accounts. Learn more about administrator lockout here.
Duo's telephony usage includes activation and authentication SMS messages and authentication phone calls for both end users and Duo administrators. Duo debits your telephony credit balance for each authentication call or SMS message sent (as per the rate card). Paid accounts](/pricing) are issued credits yearly, and may purchase extra telephony credits as needed. Duo Free accounts do not receive automatic credit refills, but may purchase additional telephony credits.
If you ever exhaust your telephony credit balance, your users will not be able to receive authentication phone calls or text messages. To avoid this, Duo automatically notifies all account administrators when the credit balance falls below a pre-determined percentage of your total credits.
You can configure the credit balance email alert in the "Telephony Credits" section of the settings page. Change the "Low-credit alerts" option to Alert when account has fewer than _ credits and enter a number in the blank to change when the alert gets triggered. You can also change the low-credit alert email recipient by entering an email address in the Low credit alert email field. If no email is specified then all Duo administrators receive the low-credit alert email.
The rate card shows how many credits each SMS message or telephone call consumes per country. By default, Duo restricts the maximum telephony credits used per transaction to 20 credits. If your users are in locations with more expensive telephony rates you can increase the 20 credit maximum. Conversely, if you know that telephony rates for your users should never exceed a certain amount you may reduce the maximum allowed credits below 20. To raise or lower the maximum credit usage per user authentication, enter the desired number in the Max credits per action box.
Since Duo is licensed on a per-user basis, you are charged based on the number of users you have in Duo, regardless of their activity. Duo's default behavior with regard to inactive accounts is to do nothing. Admins may choose to automatically remove inactive users from Duo after a set period. To do this, click the radio button next to Expire users after a set period of inactivity and enter the maximum number of days an inactive user will be permitted to remain in Duo (up to 365). The number of inactive days is calculated from the last successful Duo authentication. Failed authentication attempts do not reset the inactivity counter.
If this option is enabled, Duo moves users who do not authenticate for the specified number of days into the "Trash" users view and puts into "pending deletion" status as part of a daily process. This also applies to existing users who have not authenticated within the newly configured inactivity period. After seven days with "pending deletion" status, the user is permanently deleted from Duo.
For example, you may have users who enrolled in Duo but have not authenticated in the past 100 days. If you enable inactive user expiration and set the maximum number of days to 90, then all users who last authenticated more than 90 days ago are moved into the Trash to be deleted seven days later. Going forward, any user whose inactivity counter reaches 90 days will also be put into the Trash for seven days, and then deleted.
A user may not log in with Duo while their Duo account is pending deletion. At any time before the seven day pending deletion period ends you may restore the user from the Trash. Restoring a user account from the Trash doesn't change the user's status; you'll need to update the user's status back to "active" or "bypass" before they can log in.
If you restore the user account but the user still does not log in to Duo, then the account will be sent to the Trash once again for inactivity.
A user deleted by the system for inactivity will need to re-enroll in Duo in order to authenticate again.
Inactive user expiration doesn't apply to users managed by Directory Sync. Those users remain in Duo as long as they're present in the source directory groups selected in your directory sync configuration. When you remove users from all groups you've synced to Duo in the source directory, the next scheduled sync places those users into the Trash for deletion in seven days.
The Duo Mobile app's Security Checkup feature checks and reports on a user's iOS or Android device security hygiene in the application itself. Potential device security issues, like an outdated operating system or lack of screen lock, are flagged within Duo Mobile for action by the user. The Security Checkup is enabled by default. You can change this on the Settings page.
Security Checkup always verifies device settings against Duo's recommended security settings, regardless of any authentication device policy settings you've created. For instance, Security Checkup flags rooted status on an Android device whether you've enabled a policy that blocks authentication from rooted or jailbroken devices or not.
Security Checkup doesn't block users from authenticating if it does find any issues with a user's phone. Be sure to implement Duo policy restrictions to prevent access and authentication for users with device security issues.
With Security Checkup enabled, Duo Mobile checks these device attributes:
Security Checkup notifies users about detected issues via a pop-up at the bottom of the app screen, which they can tap to see more information. End users can always view their device's security posture from within the Duo Mobile app. On iOS go to Menu → Security Checkup and on Android go to Menu → Settings → Security Checkup.
Example: Android device with all recommended settings
Example: iOS device without all recommended settings
Duo Mobile collects usage analytics and crash reporting information that we use to improve our service. Individual end users may opt-out of sending usage data at any time from within the Duo Mobile app's settings. Learn more about what information Duo collects and how we use it.
You can disable Duo Mobile usage analytics and crash reporting collection at an organizational level by changing the "Usage Analytics" setting to Do not allow Duo Mobile to collect usage data. This change becomes effective the next time a user opens Duo Mobile.
Instant Restore enables account recovery of "Duo-Protected" accounts (accounts used to approve logins for Duo-protected applications and services) and "Duo Admin" administrator login accounts when a Duo Mobile user gets a new iOS or Android device. To enable it, select Allow Instant Restore for Duo Mobile on Android and iOS. Then, instruct your iOS users to ensure that iCloud Keychain is enabled on the iOS devices where they use Duo Mobile. Android users should toggle on the Backup accounts with Google Drive option in Duo Mobile and follow the in-app prompts to connect to Google Drive to store their app backup.
When users with account backups open Duo Mobile on their new device, they can tap Get My Account Back to begin the Instant Restore process. Android users must have their old device available to scan a QR code generated on that device to transfer the information to the new device.
iOS users don't need their old device available to complete the restore, but we do push a restore notification to the old phone. If the user did indicates they did not initiate the restore action, Duo deactivates both the old and the new iOS devices and emails the Duo administrators configured to receive Lockout and Fraud alert emails.
Successful Instant Restore deactivates the "Duo-Protected" and "Duo Admin" accounts on the old device.
Note that Instant Restore does not restore third-party OTP accounts in Duo Mobile nor deactivate third-party accounts on the old device. Users should still enable third-party account recovery in Duo Mobile to restore third-party OTP accounts with a recovery password.
Users who leave your organization still retain the Duo Mobile account backups until they delete the accounts or remove the backup. Disabling/deleting the user's account in Duo as part of your offboarding process prevents use of any restored Duo Mobile accounts, as they will remain disconnected.
Instant Restore requires Duo Mobile for Android 3.32.0 or later and Duo Mobile for iOS 3.33.0 or later.
With the release of Duo Mobile Instant Restore for both Android and iOS platforms, we recommend enabling that functionality over Duo Mobile Restore for recovering Duo-protected and Duo Admin accounts in Duo Mobile.
Duo Restore for the Duo Mobile app is a legacy recovery implementation that gives your end users the ability to backup Duo account information from the Duo Mobile app to Google Drive (Android devices) or iCloud (iOS devices). They can use this saved backup information to recover those Duo accounts to a replacement device of the same platform as the original backup via accessing a designated Duo-protected application.
Duo Restore differs from the self-service portal feature as follows:
When enabling Duo Restore, you'll designate a specific Duo-protected application to use with this feature. Users need to perform primary authentication as required by that designated application, plus Duo authentication using any other factor available to them, such as phone call approval, a hard token or SMS passcode, an administrator-issued bypass code, etc. As such, we don't recommend selecting an application to use with Duo Restore that also has an authentication methods policy applied which restricts use of factors other than Duo Push, as this prevents user recovery of accounts using Duo Restore to a new device unless your users typically have a second device already activated for Duo Push.
To enable Duo Restore:
Once you enable Duo Restore your end users can avail themselves of the Duo Mobile app's account recovery options after installation on a new device. Successful Duo Restore deactivates the "Duo-Protected" and "Duo Admin" accounts on the old device.
To learn more about the Duo Restore experience for end users, see the Duo Restore page in the end-user guide.
Please note that Duo's app account backup and restore will not restore any third-party service accounts (where users scanned a QR code to enable 2FA on an external service like Facebook or Twitter) to a replacement device. After completing Duo Restore on a new device, a user needs to manually reactivate the Duo app for any third-party services. Note that an iOS user who backs up their device to iCloud can restore both Duo and third-party accounts to the same device. This is not possible for Android devices.
Neither Instant Restore nor Duo Restore restore third-party OTP accounts. Be sure to advise your users to set up backups for these third-party accounts in Duo Mobile no matter which Duo account restore option you choose for your organization. Additionally, ensure that users are aware that while restoring Duo-protected and Duo admin accounts to a new device deactivates those accounts on the old device, restoring third-party accounts to a new device does not deactivate those OTP accounts on the old one, so the old device could still be used to generate login passcodes for those third-party services. The user should delete those accounts from Duo Mobile on the old device, or delete the app on the old device.
By default, Duo authentication, telephony, and administrator action log entries are retained indefinitely. The "Logging" settings allow you to specify a retention period by selecting the Delete logs after _ days option and entering the maximum number of days to retain the log entries. When this option is set to delete, log entries older than the given number of days are purged. This setting becomes effective as soon as you save it; immediately deleting log information beyond the days specified.
Customize the help message shown to your users in the Duo browser prompt with the "Message" setting. Use this field to provide instructions to your users, such as directing them to call or email your organization's support group, or to show the URL of your service desk or device management portal (which they can copy and paste into a new browser tab).
Enter text up to 200 characters; HTML formatting or hyperlinks are not allowed.
The text you specify here displays when a user clicks the "Need help?" link on the left side of the Duo prompt.
Duo Access and Beyond customers using the Device Health application also see the customized help text in the "Need Help?" area of the installed app.
A bypass code is a passcode created as a backup authentication factor when a user's enrolled devices aren't available. Duo admins with the Owner, Administrator, User Manager, or Help Desk roles may create bypass codes for end users. You may optionally restrict your Help Desk admins' ability to customize bypass codes with the Do not allow Help Desk admins to customize bypass codes setting. Enabling this hides all customization options from the Help Desk, and any bypass codes they create are valid for the number of minutes you specify here.
Prevent your Help Desk admins from issuing bypass codes entirely by enabling the Do not allow Help Desk admins to create bypass codes option under Help Desk settings.
A user who exists in Duo but has yet to register any two-factor authentication devices must complete enrollment before they can log in to a Duo-protected service or application with 2FA. If your application does not permit inline self-enrollment, Duo administrators with the Owner, Administrator, or User Manager roles can send (or resend) an enrollment email to the user from the Admin Panel.
To permit Duo admins with the Help Desk role to send enrollment emails to users from the Admin Panel as well, enable the Allow admins with Help Desk role to send enrollment emails option under Help Desk settings.
The "Admin Password Policy" settings define the length and strength requirements for Duo administrative user passwords. The default setting for new Duo customers requires administrator passwords with a minimum length of 12 or more characters. Existing Duo customers who currently have the minimum password length set to a value less than 12 may increase this value incrementally, but once increased may not decrease it.
To change the minimum password length to a value greater than the default, enter the desired number of characters in the Minimum length box.
To enforce password complexity, next to the Require at least one option select any combination of uppercase letter, lowercase letter, number, or special character.
The "Enrollment Email" setting lets you customize the message sent to users imported from into Duo via Active Directory, OpenLDAP, or Azure when the synced directory has the "Send enrollment email to synced users" option enabled. You can choose to include your company logo in the email, which is the same logo image you uploaded in the General section of the Settings page.
The sent message will have a non-editable header added, informing the user it's an automated message sent by Duo and to contact their organization's Duo admins or IT support group with any questions.